All risk is reputation risk.
…and that has implications for risk, communications, HR and marketing directors.
Isn’t it exciting when the business world gets a new topic to rally around? A topic of the moment is Reputation Risk. This one has actually been floating around for a few years now but has gained momentum recently as a number of high profile organisations have suffered massive reputational issues that have arisen from what have been described as non-traditional or non-financial risks i.e. risks not traditionally monitored on a risk register. (A risk register is a risk management tool commonly used in risk management and compliance. It acts as a central repository for all risks identified by an organisation and, for each risk, includes information such as source, nature, treatment option, existing counter-measures, recommended counter-measures and so on.)
Additionally, there has been a rise in insurers selling Reputation Risk policies. This immediately poses the question; can you actually insure a reputation? The answer is, of course, no! Not least because a reputation is an intangible, moving and entirely subjective thing, but also – and despite the best efforts of some – you cannot put a reliable monetary value on a reputation.
So what these insurance policies do is pay out if a company suffers an event which is deemed to be damaging to its reputation. The insurance essentially covers the cost of a crisis response and recovery, which is very much about a communications response. For example, in the event that a company suffers a product recall, the reputation risk insurance would cover a crisis communications response in order to help mitigate the impact on the company’s reputation. It would not cover the costs of the product recall itself or any resulting loss of earnings. So to be clear, the insurance is not paying out for the loss of company earnings or value (such as a share price dip) following a negative event, it’s paying out to help organisations manage the crisis during and following the event, thereby, but not directly, hoping to protect that share price.
All of these events and developments have resulted in a buzz in both reputation and risk circles where many organisations are now considering reputation risk management almost as a separate consideration to traditional risk management.
But what is a reputation risk?
Way back in 2007, Roger Chapman, writing in Security Management News, described reputation risk as “the current or prospective risk to earnings arising from the perception of the image of the company by clients, counterparties, shareholders or regulators”. So he linked shifting perceptions of a company with an impact on earnings.
And in the same year, Professor Michael Power wrote in his book ‘Organised Uncertainty’ that “reputational risk management is not simply a sub-area of risk management. It is the defining project of risk management itself”.
In other words, all risk is reputation risk. Which is obvious when you think about it, because any negative event – whether a tangible event that sits on a traditional risk register, or something less tangible such as bad behaviour of the CEO (for instance) – leads to damage to reputation which makes it difficult to do business and ultimately has an affect on earnings.
What is interesting about these events that are considered ‘non-traditional’ or ‘non-financial’ risks, is that they are almost exclusively linked to the behaviour of employees or, to a lesser degree, close partners of the company in question.
Indeed, some excellent research by EY found that one of the biggest risks to the reputations of banks is the ‘rogue employee’. We’ve also seen the reputations of major organisations called in to question because of the behaviour of the CEO. Examples such as Co-op Bank and FIFA are two obvious cases.
The behaviour of just one employee can now have a huge impact on the reputation of a company, and indeed, its very freedom to operate.
So what are the implications for organisations looking manage reputation risk?
The risk manager who has traditionally sat in compliance with a reporting line to the CFO now needs to be satisfied that the organisation has effective procedures in place for ensuring staff – from the leadership through to the most distant link in the supply chain – are fully aligned with company values and strategy and that they each understand how this applies to their role and responsibilities.
The challenge here is that managing this type of risk (like managing reputation) cannot be done in a silo. The risk manager now needs to be sitting with the HR Director and indeed the Corporate Comms and Public Affairs Director on what has been described by some organisations, such as IHG, who are applying best practice in this area, as a Reputation and Risk Council.
It’s another example of the new business model required to operate successfully in the 21st Century, where silos are broken down and replaced with greater cross-functional collaboration in both strategic planning and operations management.
On the face of it, the implications can look huge, but it actually just comes down to effective internal communications and collaboration across functions.
This link provides a similar viewpoint from Deloitte with an excellent checklist to consider in ensuring your organisation is effectively managing Reputation Risk.